US9319351B1 - Mechanism for wire-speed stateful packet inspection in packet processors - Google Patents

Mechanism for wire-speed stateful packet inspection in packet processors Download PDF

Info

Publication number
US9319351B1
US9319351B1 US14/090,368 US201314090368A US9319351B1 US 9319351 B1 US9319351 B1 US 9319351B1 US 201314090368 A US201314090368 A US 201314090368A US 9319351 B1 US9319351 B1 US 9319351B1
Authority
US
United States
Prior art keywords
metadata
values
value
rule
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US14/090,368
Inventor
Michael Orr
Gad Hutt
David MELMAN
Uri Safrai
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Marvell Israel MISL Ltd
Marvell Asia Pte Ltd
Original Assignee
Marvell International Ltd
Marvell Israel MISL Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Marvell International Ltd, Marvell Israel MISL Ltd filed Critical Marvell International Ltd
Priority to US14/090,368 priority Critical patent/US9319351B1/en
Assigned to MARVELL SEMICONDUCTOR, INC. reassignment MARVELL SEMICONDUCTOR, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ORR, MICHAEL, SAFRAI, URI, HUTT, GAD
Assigned to MARVELL INTERNATIONAL LTD. reassignment MARVELL INTERNATIONAL LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MARVELL SEMICONDUCTOR, INC.
Assigned to MARVELL ISRAEL (M.I.S.L) LTD reassignment MARVELL ISRAEL (M.I.S.L) LTD ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MELMAN, DAVID
Application granted granted Critical
Publication of US9319351B1 publication Critical patent/US9319351B1/en
Assigned to CAVIUM INTERNATIONAL reassignment CAVIUM INTERNATIONAL ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MARVELL INTERNATIONAL LTD.
Assigned to MARVELL ASIA PTE, LTD. reassignment MARVELL ASIA PTE, LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CAVIUM INTERNATIONAL
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/45Arrangements for providing or supporting expansion
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering

Definitions

  • the present disclosure relates to packet processing in a networking device, and more particularly to stateful packet inspection at wire speeds.
  • a router is a device that forwards packets between computer networks.
  • a router typically includes a processor that can process packets in a stateless manner or in a stateful manner.
  • FIG. 1A illustrates a conventional router 100 including a first port 104 , a second port 108 , and a stateless packet processor 112 .
  • the stateless packet processor 112 receives packets from the first port 104 and the second port 108 and transmits packets to the first port 104 and the second port 108 .
  • the stateless packet processor 112 applies, to the packets, one or more rules from a set of rules 116 . Each of the applicable rules corresponds to a respective action from a set of actions 120 . Multiple rules may apply to a single packet and the application of one of the rules to the packet may cause another of the rules to also become applicable to the packet. However, the actions performed on a given packet are not dependent on any previous packets. This is the definition of stateless for the stateless packet processor 112 .
  • FIG. 1B illustrates a conventional router 140 that uses a software-based processing system to save state information and allow for stateful packet inspection.
  • the router 140 includes a first port 144 , a second port 148 , and a processor 152 that communicates with the first port 144 and the second port 148 .
  • the processor 152 executes instructions 156 out of memory 160 .
  • the memory 160 also includes state information 164 , sets of rules 168 , and sets of actions 172 .
  • the state information 164 tracks characteristics of previous packets, such as whether particular types of packets have been seen from or to particular addresses, or how many of a particular type of packet have been seen.
  • the processor 152 is able to store the state information 164 , the speed of a software system is limited. For example only, at the present time a processor may be capable of inspecting traffic at 4 to 8 Gbps. Meanwhile, network ports of 10 Gbps or 40 Gbps are common in enterprise switches, and a single switch may have a dozen ports or more. A software-based solution is therefore too slow to run at the wire speed (also known as line speed) of 10 Gbps or 40 Gbps per port.
  • FIG. 1C illustrates a conventional router 180 that includes a first port 184 , a second port 188 , and a programmable stateful network processor 192 .
  • the network processor 192 includes state information 196 , sets of rules 200 , and sets of actions 204 .
  • Network processors are special-purpose processors with instruction sets tailored to packet processing and specific hardware resources dedicated to packet processing tasks.
  • Network processors are therefore less flexible than software-based solutions. If a particular packet processing operation was not envisioned by, or implemented by, the designer of the network processor, that processing task may be difficult to implement on the network processor and/or may operate with decreased performance.
  • a network processor must be programmed and the microprogramming required generally requires a very detailed understanding of the hardware components of the network processor and their interaction. Further, network processors are much more expensive than standard packet processors.
  • a packet processor includes an extraction circuit, a lookup circuit, an assignment circuit, a rule matching circuit, and an action circuit.
  • the extraction circuit generates a first set of values based on a first packet.
  • the lookup circuit stores metadata values. Each of the metadata values corresponds to a respective metadata identifier.
  • the assignment circuit assigns a first metadata identifier to the first packet.
  • the lookup circuit selectively retrieves a first metadata value that corresponds to the first metadata identifier.
  • the rule matching circuit selects a first rule from among a predetermined set of rules based on the first set of values and the first metadata value.
  • the action circuit identifies a first action specified by the first rule and performs the first action.
  • the first action includes modifying the first metadata value of the plurality of metadata values.
  • a method of operating a network device includes generating a first set of values based on a first packet.
  • the method further includes storing metadata values. Each metadata value of the metadata values corresponds to a respective metadata identifier of a plurality of unique metadata identifiers.
  • the method further includes assigning a first metadata identifier to the first packet.
  • the method further includes selectively retrieving a first metadata value of the plurality of metadata values that corresponds to the first metadata identifier.
  • the method further includes selecting a first rule from among a predetermined set of rules based on the first set of values and the first metadata value of the plurality of metadata values.
  • the method further includes identifying a first action specified by the first rule of the predetermined set of rules.
  • the method further includes performing the first action.
  • the first action includes modifying the first metadata value of the plurality of metadata values.
  • FIG. 1A is a functional block diagram of an example router according to the prior art.
  • FIG. 1B is another implementation of a router according to the prior art.
  • FIG. 1C is yet another implementation of a router according to the prior art.
  • FIG. 2 is a functional block diagram of a networking device according to one implementation of the principles of the present disclosure.
  • FIGS. 3A-3B are functional block diagrams of example implementations of a packet processor.
  • FIGS. 4A-4C are functional block diagrams of additional example implementations of a packet processor.
  • FIGS. 5A-5C graphically depict elements of the packet processor of FIGS. 4A-4C and illustrate example data flow.
  • FIG. 6 is a flowchart showing example operation of a packet processor according to one implementation of the principles of the present disclosure.
  • FIG. 2 illustrates a networking device 300 that includes N ports 304 - 1 , 304 - 2 , . . . 304 -N (collectively, ports 304 ).
  • the ports 304 provide incoming packets to an ingress circuit 308 , which provides the packets to a packet processor 312 .
  • the packet processor 312 processes each packet and, for packets that are not going to be dropped, outputs the packets to an egress circuit 316 .
  • the egress circuit 316 outputs packets over a respective one of the ports 304 based on descriptors provided by the packet processor 312 .
  • the networking device 300 may include a firewall, an intrusion prevention system, and/or an intrusion detection system.
  • FIG. 3 illustrates a first example implementation of the packet processor 312 .
  • the packet processor 312 includes an extraction circuit 350 that generates a descriptor based on an incoming packet.
  • the descriptor may include information extracted directly from the packet and/or calculated based on packet fields.
  • the descriptor may include source and target addresses, quality of service parameters, etc.
  • the descriptor is provided to a rule matching circuit 354 that selects a rule either exactly matching the descriptor or based on a best match.
  • the rule matching circuit 354 may evaluate a predetermined set of rules in a predefined order and select the first matching rule. Further rules in the predetermined set of rules that would have matched the descriptor are ignored once the match is found. Alternatively, actions corresponding to all matching rules may be performed. Because the actions may be inconsistent, the actions may be performed in reverse order of priority—i.e., the action corresponding to the highest priority rule is performed last, and can therefore partially or fully override actions corresponding to lower priority rules.
  • the matched rule from the rule matching circuit 354 includes a pointer to a specific action in an action circuit 358 .
  • the action circuit 358 performs the action pointed to by the rule matching circuit 354 .
  • the incoming packet may be stored in a packet storage circuit 362 .
  • the selected action of the action circuit 358 may include modifying part of the packet stored in the packet storage circuit 362 .
  • the action circuit 358 may update the descriptor and output the updated descriptor.
  • the updated descriptor may include bits indicating what should be done with the corresponding packet. For example, a single bit may indicate that the packet should be dropped. Multiple bits of the descriptor may indicate a port from which the packet should be forwarded.
  • the descriptor (as modified) from the action circuit 358 may be output from the packet processor 312 along with a copy of the packet (as modified). In other implementations, such as is shown in FIG. 3A , additional rule sets may be applied to the packet.
  • the descriptor is therefore provided to a second rule matching circuit 366 , which identifies a rule that matches the descriptor and points to an action in a second action circuit 370 .
  • the second action circuit 370 performs the selected action, which may include modifying the packet stored in the packet storage circuit 362 and/or the descriptor.
  • a packet processor may implement additional rounds of rule matching.
  • the rule sets used by the rule matching circuit 354 and the second rule matching circuit 366 may be the same.
  • the sets of actions in the action circuit 358 and the second action circuit 370 may be the same.
  • the action circuit 358 and the rule matching circuit 354 of a packet processor 380 may iteratively operate on the packet and the descriptor for multiple rounds.
  • the extraction circuit 350 provides the descriptor to the action circuit 358 via a first input of a multiplexer 390 .
  • the action circuit 358 can feed the descriptor back to the rule matching circuit 354 via a second input of the multiplexer 390 .
  • FIG. 4A illustrates a packet processor 400 according to one implementation.
  • the packet processor 400 keeps track of state information, thereby allowing for stateful packet inspection.
  • the packet processor 400 builds on the disclosure of FIGS. 3A and 3B . In other words, one or more rounds of rule matching may be performed using either or both of the techniques shown in FIGS. 3A and 3B .
  • the additional structures described for storing state information can be implemented in an existing non-programmable packet processor, such as a packet processor in the Marvell® Prestera® family.
  • an extraction circuit 404 receives an incoming packet and prepares a descriptor.
  • the descriptor is provided to an assignment circuit 408 , which determines a metadata identifier corresponding to the descriptor.
  • the metadata identifier is an index into a metadata table 412 , also called a lookup circuit.
  • the metadata table 412 stores multiple metadata entries that are persistent across multiple packets. In other words, the metadata may be updated by an action corresponding to one packet and then referenced by a rule corresponding to a future packet.
  • the metadata table 412 may include 1,024 metadata entries that are each 16 bits in length.
  • the 16 bits can be bit-masked and subdivided for semantics and code-space divisions.
  • one of the bits such as the most significant bit, can indicate that the metadata entry is to be used only once.
  • multiple bits may be used as an aging counter to determine when the metadata may be stale and no longer relevant, or for use in determining which metadata to replace with more recent data.
  • a single bit could indicate whether a transmission control protocol (TCP) connection is established.
  • TCP transmission control protocol
  • multiple bits may be used to track the TCP handshake process.
  • Each entry of the metadata table 412 stores a value and is identified by a corresponding metadata identifier.
  • the metadata entries are numbered sequentially, and the metadata identifier indicates the metadata entry's location within that sequential order. For example only, with 1,024 (2 10 ) metadata entries, the metadata entries can be numbered from 0 to 1,023, with the metadata identifier being a 10-bit binary number.
  • the metadata table 412 In response to receiving a metadata identifier of, for example, 645 (1010000101 in binary), the metadata table 412 returns the value stored in the 646th metadata entry.
  • the assignment circuit 408 may be set up so that incoming packets corresponding to a certain destination address and certain TCP port number are assigned the same metadata identifier.
  • the metadata corresponding to that metadata identifier may store information relating to that flow of packets, such as whether a TCP connection has been established and/or a measure of throughput for that flow of packets.
  • a tagging circuit 416 combines the descriptor with the metadata identifier and outputs the tagged descriptor to a rule matching circuit 420 and the metadata table 412 .
  • the tagging circuit 416 may simply concatenate the descriptor with the metadata identifier.
  • the metadata identifier portion of the descriptor indexes the metadata table 412 , which allows the metadata table 412 to provide corresponding metadata to the rule matching circuit 420 .
  • the rule matching circuit 420 Based on the provided metadata and the descriptor, the rule matching circuit 420 identifies a matching rule.
  • the matching rule points to a particular action in an action circuit 424 .
  • the identified action may modify the descriptor, may modify the incoming packet as stored in a packet storage circuit 428 , and/or may modify the associated metadata in the metadata table 412 .
  • the descriptor as updated may be provided to a second rule matching circuit 432 , which identifies a matching rule based on the descriptor as well as based on the corresponding metadata from the metadata table 412 .
  • the second rule matching circuit 432 selects a corresponding action in a second action circuit 436 .
  • the second action circuit 436 may modify metadata in the metadata table 412 , packet data in the packet storage circuit 428 , and/or the packet descriptor.
  • the resulting descriptor is output from the packet processor 400 , as is the outgoing packet.
  • the egress circuit 316 of FIG. 2 may receive a packet and a descriptor indicating that the packet should be dropped. In other implementations, when the descriptor of an outgoing packet indicates the packet should be dropped, the descriptor and the outgoing packet may simply not be forwarded to the egress circuit 316 .
  • FIG. 4A shows a single metadata table
  • a metadata table may be implemented in the packet processor 400 for each set of rules. See, for example, FIG. 4B , where an example packet processor 440 includes a second metadata table 450 configured to provide metadata to the second rule matching circuit 432 based on the metadata identifier embedded in the descriptor.
  • a metadata table may be dedicated to each networking port, to each packet queue, and/or to each virtual local area network (VLAN).
  • a metadata table may also be dedicated to storing counters, which may be used to track packets in particular flows for rate limiting and/or quality of service control.
  • a metadata table may be implemented for each pipeline stage.
  • a rule matching circuit may evaluate a set of rules in a predefined order. When evaluating the first rule to determine a match, the rule matching circuit may use metadata values from a first metadata table, and when evaluating the second rule to determine a match, the rule matching circuit may use metadata values from a second metadata table, etc. In various implementations, the first rule to match is selected, meaning that rules earlier in the predefined order have a higher priority.
  • the metadata identifier for the packet may be changed.
  • the assignment circuit 408 may assign a metadata identifier to the packet for a first round based on a TCP port number of the packet.
  • a different metadata identifier based on source address may be assigned to the packet.
  • FIG. 4C shows an example packet processor 480 in an iterative configuration, where the action circuit 424 and the rule matching circuit 420 perform one or more rounds of rule matching and actions on a packet.
  • a multiplexer 484 which may operate similarly to the multiplexer 390 of FIG. 3B , allows the descriptor to be fed back to the metadata table 412 , the rule matching circuit 420 , and the action circuit 424 for additional rounds of processing.
  • an incoming packet (referred to as the “first packet”) is stored into a packet memory in phase 1 , depicted with a numeral 1 in a circle.
  • the first packet is provided to the extraction circuit 404 , which generates a first classifier.
  • the first classifier is stored in a corresponding section of classifier memory in phase 3 .
  • the classifier memory also includes a field for a metadata ID, but the metadata ID field is not immediately known.
  • the stored first classifier is provided to assignment memory, which has a set of rules and corresponding metadata IDs. The first classifier is used to match against the set of rules in the assignment memory, and the metadata ID corresponding to the matched rule (referred to as the first ID) is provided to the classifier memory for storage with the first classifier in phase 5 .
  • the first ID is used to index into metadata memory in phase 6 .
  • the designated metadata is output from the metadata memory, and in phase 8 the first classifier from the classifier memory is output.
  • the designated metadata and the first classifier are combined, such as by using concatenation, and the resulting combination is used in phase 9 to identify a matching rule in first rule memory.
  • a pointer stored by the matching rule identifies an action in a first action memory.
  • phase 11 includes performing the target action from the first action memory.
  • the selected action may include modifying the first classifier, modifying the designated metadata, and/or modifying the first packet.
  • Phases 7 through 11 may be repeated on the packet, with the same or differing rule memory and with the same or differing action memory.
  • the packet processor 400 may allow significant stateful packet inspection functionality without requiring network processors or the less-than-wire-speed performance of a software implementation.
  • the rule tables and assignment tables described above may be implemented as content-addressable memories, or more particularly as ternary content addressable memories. Ternary content addressable memories allow for matches where certain bits that are not of interest are ignored.
  • example packet processor operation begins at 504 . If a packet is received at 504 , control continues at 508 ; otherwise, control remains at 504 .
  • the packet is stored, and at 512 a classifier for the packet is extracted.
  • the classifier is stored at 516 , and at 520 a metadata assignment rule is selected that best matches the classifier.
  • the metadata ID corresponding to the matching assignment rule is stored along with the classifier.
  • a metadata table is indexed by the metadata ID and the corresponding metadata is retrieved.
  • control determines a rule from a set of rules that best matches the combination of the retrieved metadata and the classifier.
  • control selects the action pointed to by the rule matched at 532 .
  • Control continues at 540 , where if the action includes modifying metadata, control transfers to 544 , where metadata is modified. Otherwise, control transfers to 548 , where if the action includes modifying packet contents, control transfers to 552 , where packet contents are modified. Otherwise, control transfers to 566 , where if the action includes modifying the classifier, control transfers to 560 , where the classifier is modified.
  • control returns to 528 ; otherwise, control transfers to 568 .
  • the packet (which may have been modified at 552 ) is output.
  • the corresponding classifier (which may have been modified at 560 ) is also output. Control then returns to 504 .
  • the control from 528 through 564 is shown as a loop, in various implementations the rule sets, action sets, and even metadata tables used may differ from one round to the next.
  • circuit may refer to, be part of, or include an Application Specific Integrated Circuit (ASIC); a digital, analog, or mixed analog/digital discrete circuit; a digital, analog, or mixed analog/digital integrated circuit; a combinational logic circuit; a field programmable gate array (FPGA); other suitable hardware components that provide the described functionality; or a combination of some or all of the above, such as in a system-on-chip.
  • ASIC Application Specific Integrated Circuit
  • FPGA field programmable gate array

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A packet processor includes an extraction circuit, a lookup circuit, an assignment circuit, a rule matching circuit, and an action circuit. The extraction circuit generates a first set of values based on a first packet. The lookup circuit stores metadata values. Each of the metadata values corresponds to a respective metadata identifier. The assignment circuit assigns a first metadata identifier to the first packet. The lookup circuit selectively retrieves a first metadata value that corresponds to the first metadata identifier. The rule matching circuit selects a first rule from among a predetermined set of rules based on the first set of values and the first metadata value. The action circuit identifies a first action specified by the first rule and performs the first action. The first action includes modifying the first metadata value of the plurality of metadata values.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
This application claims the benefit of U.S. Provisional Application No. 61/729,829, filed on Nov. 26, 2012. The entire disclosure of the application referenced above is incorporated herein by reference.
FIELD
The present disclosure relates to packet processing in a networking device, and more particularly to stateful packet inspection at wire speeds.
BACKGROUND
The background description provided herein is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventors, to the extent the work is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.
A router is a device that forwards packets between computer networks. A router typically includes a processor that can process packets in a stateless manner or in a stateful manner.
FIG. 1A illustrates a conventional router 100 including a first port 104, a second port 108, and a stateless packet processor 112. Although only two ports 104, 108 are shown in FIG. 1A, the router 100 may include additional ports. The stateless packet processor 112 receives packets from the first port 104 and the second port 108 and transmits packets to the first port 104 and the second port 108. The stateless packet processor 112 applies, to the packets, one or more rules from a set of rules 116. Each of the applicable rules corresponds to a respective action from a set of actions 120. Multiple rules may apply to a single packet and the application of one of the rules to the packet may cause another of the rules to also become applicable to the packet. However, the actions performed on a given packet are not dependent on any previous packets. This is the definition of stateless for the stateless packet processor 112.
FIG. 1B illustrates a conventional router 140 that uses a software-based processing system to save state information and allow for stateful packet inspection. The router 140 includes a first port 144, a second port 148, and a processor 152 that communicates with the first port 144 and the second port 148. The processor 152 executes instructions 156 out of memory 160. The memory 160 also includes state information 164, sets of rules 168, and sets of actions 172.
The state information 164 tracks characteristics of previous packets, such as whether particular types of packets have been seen from or to particular addresses, or how many of a particular type of packet have been seen. Although the processor 152 is able to store the state information 164, the speed of a software system is limited. For example only, at the present time a processor may be capable of inspecting traffic at 4 to 8 Gbps. Meanwhile, network ports of 10 Gbps or 40 Gbps are common in enterprise switches, and a single switch may have a dozen ports or more. A software-based solution is therefore too slow to run at the wire speed (also known as line speed) of 10 Gbps or 40 Gbps per port.
FIG. 1C illustrates a conventional router 180 that includes a first port 184, a second port 188, and a programmable stateful network processor 192. The network processor 192 includes state information 196, sets of rules 200, and sets of actions 204. Network processors are special-purpose processors with instruction sets tailored to packet processing and specific hardware resources dedicated to packet processing tasks.
Network processors are therefore less flexible than software-based solutions. If a particular packet processing operation was not envisioned by, or implemented by, the designer of the network processor, that processing task may be difficult to implement on the network processor and/or may operate with decreased performance. A network processor must be programmed and the microprogramming required generally requires a very detailed understanding of the hardware components of the network processor and their interaction. Further, network processors are much more expensive than standard packet processors.
SUMMARY
A packet processor includes an extraction circuit, a lookup circuit, an assignment circuit, a rule matching circuit, and an action circuit. The extraction circuit generates a first set of values based on a first packet. The lookup circuit stores metadata values. Each of the metadata values corresponds to a respective metadata identifier. The assignment circuit assigns a first metadata identifier to the first packet. The lookup circuit selectively retrieves a first metadata value that corresponds to the first metadata identifier. The rule matching circuit selects a first rule from among a predetermined set of rules based on the first set of values and the first metadata value. The action circuit identifies a first action specified by the first rule and performs the first action. The first action includes modifying the first metadata value of the plurality of metadata values.
A method of operating a network device includes generating a first set of values based on a first packet. The method further includes storing metadata values. Each metadata value of the metadata values corresponds to a respective metadata identifier of a plurality of unique metadata identifiers. The method further includes assigning a first metadata identifier to the first packet. The method further includes selectively retrieving a first metadata value of the plurality of metadata values that corresponds to the first metadata identifier. The method further includes selecting a first rule from among a predetermined set of rules based on the first set of values and the first metadata value of the plurality of metadata values. The method further includes identifying a first action specified by the first rule of the predetermined set of rules. The method further includes performing the first action. The first action includes modifying the first metadata value of the plurality of metadata values.
Further areas of applicability of the present disclosure will become apparent from the detailed description, the claims and the drawings. The detailed description and specific examples are intended for purposes of illustration only and are not intended to limit the scope of the disclosure.
BRIEF DESCRIPTION OF DRAWINGS
FIG. 1A is a functional block diagram of an example router according to the prior art.
FIG. 1B is another implementation of a router according to the prior art.
FIG. 1C is yet another implementation of a router according to the prior art.
FIG. 2 is a functional block diagram of a networking device according to one implementation of the principles of the present disclosure.
FIGS. 3A-3B are functional block diagrams of example implementations of a packet processor.
FIGS. 4A-4C are functional block diagrams of additional example implementations of a packet processor.
FIGS. 5A-5C graphically depict elements of the packet processor of FIGS. 4A-4C and illustrate example data flow.
FIG. 6 is a flowchart showing example operation of a packet processor according to one implementation of the principles of the present disclosure.
In the drawings, reference numbers may be reused to identify similar and/or identical elements.
DESCRIPTION
FIG. 2 illustrates a networking device 300 that includes N ports 304-1, 304-2, . . . 304-N (collectively, ports 304). The ports 304 provide incoming packets to an ingress circuit 308, which provides the packets to a packet processor 312. The packet processor 312 processes each packet and, for packets that are not going to be dropped, outputs the packets to an egress circuit 316. The egress circuit 316 outputs packets over a respective one of the ports 304 based on descriptors provided by the packet processor 312. The networking device 300 may include a firewall, an intrusion prevention system, and/or an intrusion detection system.
FIG. 3 illustrates a first example implementation of the packet processor 312. The packet processor 312 includes an extraction circuit 350 that generates a descriptor based on an incoming packet. The descriptor may include information extracted directly from the packet and/or calculated based on packet fields. For example only, the descriptor may include source and target addresses, quality of service parameters, etc.
The descriptor is provided to a rule matching circuit 354 that selects a rule either exactly matching the descriptor or based on a best match. The rule matching circuit 354 may evaluate a predetermined set of rules in a predefined order and select the first matching rule. Further rules in the predetermined set of rules that would have matched the descriptor are ignored once the match is found. Alternatively, actions corresponding to all matching rules may be performed. Because the actions may be inconsistent, the actions may be performed in reverse order of priority—i.e., the action corresponding to the highest priority rule is performed last, and can therefore partially or fully override actions corresponding to lower priority rules.
The matched rule from the rule matching circuit 354 includes a pointer to a specific action in an action circuit 358. The action circuit 358 performs the action pointed to by the rule matching circuit 354. The incoming packet may be stored in a packet storage circuit 362. The selected action of the action circuit 358 may include modifying part of the packet stored in the packet storage circuit 362. In addition, the action circuit 358 may update the descriptor and output the updated descriptor. The updated descriptor may include bits indicating what should be done with the corresponding packet. For example, a single bit may indicate that the packet should be dropped. Multiple bits of the descriptor may indicate a port from which the packet should be forwarded.
The descriptor (as modified) from the action circuit 358 may be output from the packet processor 312 along with a copy of the packet (as modified). In other implementations, such as is shown in FIG. 3A, additional rule sets may be applied to the packet. The descriptor is therefore provided to a second rule matching circuit 366, which identifies a rule that matches the descriptor and points to an action in a second action circuit 370. The second action circuit 370 performs the selected action, which may include modifying the packet stored in the packet storage circuit 362 and/or the descriptor.
Although shown with two iterations of rule matching, a packet processor according to the present disclosure may implement additional rounds of rule matching. In various implementations, the rule sets used by the rule matching circuit 354 and the second rule matching circuit 366 may be the same. In addition, the sets of actions in the action circuit 358 and the second action circuit 370 may be the same.
As shown in FIG. 3B, the action circuit 358 and the rule matching circuit 354 of a packet processor 380 may iteratively operate on the packet and the descriptor for multiple rounds. In one implementation, the extraction circuit 350 provides the descriptor to the action circuit 358 via a first input of a multiplexer 390. After performing the designated action, the action circuit 358 can feed the descriptor back to the rule matching circuit 354 via a second input of the multiplexer 390.
FIG. 4A illustrates a packet processor 400 according to one implementation. The packet processor 400 keeps track of state information, thereby allowing for stateful packet inspection. The packet processor 400 builds on the disclosure of FIGS. 3A and 3B. In other words, one or more rounds of rule matching may be performed using either or both of the techniques shown in FIGS. 3A and 3B. The additional structures described for storing state information can be implemented in an existing non-programmable packet processor, such as a packet processor in the Marvell® Prestera® family.
In the packet processor 400, an extraction circuit 404 receives an incoming packet and prepares a descriptor. The descriptor is provided to an assignment circuit 408, which determines a metadata identifier corresponding to the descriptor. The metadata identifier is an index into a metadata table 412, also called a lookup circuit. The metadata table 412 stores multiple metadata entries that are persistent across multiple packets. In other words, the metadata may be updated by an action corresponding to one packet and then referenced by a rule corresponding to a future packet.
In various implementations, the metadata table 412 may include 1,024 metadata entries that are each 16 bits in length. The 16 bits can be bit-masked and subdivided for semantics and code-space divisions. For example, one of the bits, such as the most significant bit, can indicate that the metadata entry is to be used only once. In another example, multiple bits may be used as an aging counter to determine when the metadata may be stale and no longer relevant, or for use in determining which metadata to replace with more recent data. A single bit could indicate whether a transmission control protocol (TCP) connection is established. In another example, multiple bits may be used to track the TCP handshake process.
Each entry of the metadata table 412 stores a value and is identified by a corresponding metadata identifier. In various implementations, the metadata entries are numbered sequentially, and the metadata identifier indicates the metadata entry's location within that sequential order. For example only, with 1,024 (210) metadata entries, the metadata entries can be numbered from 0 to 1,023, with the metadata identifier being a 10-bit binary number. In response to receiving a metadata identifier of, for example, 645 (1010000101 in binary), the metadata table 412 returns the value stored in the 646th metadata entry.
In one particular implementation, the assignment circuit 408 may be set up so that incoming packets corresponding to a certain destination address and certain TCP port number are assigned the same metadata identifier. In this way, the metadata corresponding to that metadata identifier may store information relating to that flow of packets, such as whether a TCP connection has been established and/or a measure of throughput for that flow of packets.
A tagging circuit 416 combines the descriptor with the metadata identifier and outputs the tagged descriptor to a rule matching circuit 420 and the metadata table 412. The tagging circuit 416 may simply concatenate the descriptor with the metadata identifier. The metadata identifier portion of the descriptor indexes the metadata table 412, which allows the metadata table 412 to provide corresponding metadata to the rule matching circuit 420. Based on the provided metadata and the descriptor, the rule matching circuit 420 identifies a matching rule.
The matching rule points to a particular action in an action circuit 424. The identified action may modify the descriptor, may modify the incoming packet as stored in a packet storage circuit 428, and/or may modify the associated metadata in the metadata table 412. Similarly to FIG. 3A, the descriptor as updated may be provided to a second rule matching circuit 432, which identifies a matching rule based on the descriptor as well as based on the corresponding metadata from the metadata table 412. The second rule matching circuit 432 selects a corresponding action in a second action circuit 436.
The second action circuit 436 may modify metadata in the metadata table 412, packet data in the packet storage circuit 428, and/or the packet descriptor. The resulting descriptor is output from the packet processor 400, as is the outgoing packet. In the implementation depicted, the egress circuit 316 of FIG. 2 may receive a packet and a descriptor indicating that the packet should be dropped. In other implementations, when the descriptor of an outgoing packet indicates the packet should be dropped, the descriptor and the outgoing packet may simply not be forwarded to the egress circuit 316.
Although FIG. 4A shows a single metadata table, a metadata table may be implemented in the packet processor 400 for each set of rules. See, for example, FIG. 4B, where an example packet processor 440 includes a second metadata table 450 configured to provide metadata to the second rule matching circuit 432 based on the metadata identifier embedded in the descriptor. A metadata table may be dedicated to each networking port, to each packet queue, and/or to each virtual local area network (VLAN). A metadata table may also be dedicated to storing counters, which may be used to track packets in particular flows for rate limiting and/or quality of service control. When rule matching and action performance is pipelined, a metadata table may be implemented for each pipeline stage.
Different metadata tables may also be assigned per individual rule. For example, a rule matching circuit may evaluate a set of rules in a predefined order. When evaluating the first rule to determine a match, the rule matching circuit may use metadata values from a first metadata table, and when evaluating the second rule to determine a match, the rule matching circuit may use metadata values from a second metadata table, etc. In various implementations, the first rule to match is selected, meaning that rules earlier in the predefined order have a higher priority.
For each round of rule matching, the metadata identifier for the packet may be changed. For example, the assignment circuit 408 may assign a metadata identifier to the packet for a first round based on a TCP port number of the packet. For a second round of rule matching, a different metadata identifier based on source address may be assigned to the packet.
FIG. 4C shows an example packet processor 480 in an iterative configuration, where the action circuit 424 and the rule matching circuit 420 perform one or more rounds of rule matching and actions on a packet. A multiplexer 484, which may operate similarly to the multiplexer 390 of FIG. 3B, allows the descriptor to be fed back to the metadata table 412, the rule matching circuit 420, and the action circuit 424 for additional rounds of processing.
In FIG. 5A, an incoming packet (referred to as the “first packet”) is stored into a packet memory in phase 1, depicted with a numeral 1 in a circle. In phase 2, the first packet is provided to the extraction circuit 404, which generates a first classifier. The first classifier is stored in a corresponding section of classifier memory in phase 3. The classifier memory also includes a field for a metadata ID, but the metadata ID field is not immediately known. In phase 4 the stored first classifier is provided to assignment memory, which has a set of rules and corresponding metadata IDs. The first classifier is used to match against the set of rules in the assignment memory, and the metadata ID corresponding to the matched rule (referred to as the first ID) is provided to the classifier memory for storage with the first classifier in phase 5.
In FIG. 5B, the first ID is used to index into metadata memory in phase 6. In phase 7 the designated metadata is output from the metadata memory, and in phase 8 the first classifier from the classifier memory is output. The designated metadata and the first classifier are combined, such as by using concatenation, and the resulting combination is used in phase 9 to identify a matching rule in first rule memory. In phase 10, a pointer stored by the matching rule identifies an action in a first action memory.
In FIG. 5C, phase 11 includes performing the target action from the first action memory. The selected action may include modifying the first classifier, modifying the designated metadata, and/or modifying the first packet. Phases 7 through 11 may be repeated on the packet, with the same or differing rule memory and with the same or differing action memory.
The packet processor 400 may allow significant stateful packet inspection functionality without requiring network processors or the less-than-wire-speed performance of a software implementation. To allow for fast lookups, the rule tables and assignment tables described above may be implemented as content-addressable memories, or more particularly as ternary content addressable memories. Ternary content addressable memories allow for matches where certain bits that are not of interest are ignored.
In FIG. 6, example packet processor operation begins at 504. If a packet is received at 504, control continues at 508; otherwise, control remains at 504. At 508 the packet is stored, and at 512 a classifier for the packet is extracted. The classifier is stored at 516, and at 520 a metadata assignment rule is selected that best matches the classifier. At 524, the metadata ID corresponding to the matching assignment rule is stored along with the classifier. At 528, a metadata table is indexed by the metadata ID and the corresponding metadata is retrieved.
At 532, control determines a rule from a set of rules that best matches the combination of the retrieved metadata and the classifier. At 536, control selects the action pointed to by the rule matched at 532. Control continues at 540, where if the action includes modifying metadata, control transfers to 544, where metadata is modified. Otherwise, control transfers to 548, where if the action includes modifying packet contents, control transfers to 552, where packet contents are modified. Otherwise, control transfers to 566, where if the action includes modifying the classifier, control transfers to 560, where the classifier is modified.
At 564, if additional rounds of rule matching are to be performed, control returns to 528; otherwise, control transfers to 568. At 568, the packet (which may have been modified at 552) is output. In addition, the corresponding classifier (which may have been modified at 560) is also output. Control then returns to 504. Although the control from 528 through 564 is shown as a loop, in various implementations the rule sets, action sets, and even metadata tables used may differ from one round to the next.
The foregoing description is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. The broad teachings of the disclosure can be implemented in a variety of forms. Therefore, while this disclosure includes particular examples, the true scope of the disclosure should not be so limited since other modifications will become apparent upon a study of the drawings, the specification, and the following claims. As used herein, the phrase at least one of A, B, and C should be construed to mean a logical (A or B or C), using a non-exclusive logical OR. It should be understood that one or more steps within a method may be executed in different order (or concurrently) without altering the principles of the present disclosure.
The term circuit may refer to, be part of, or include an Application Specific Integrated Circuit (ASIC); a digital, analog, or mixed analog/digital discrete circuit; a digital, analog, or mixed analog/digital integrated circuit; a combinational logic circuit; a field programmable gate array (FPGA); other suitable hardware components that provide the described functionality; or a combination of some or all of the above, such as in a system-on-chip.

Claims (27)

What is claimed is:
1. A packet processor comprising:
an extraction circuit configured to generate a first set of values based on a first packet;
a lookup circuit configured to store a plurality of metadata values, wherein each metadata value of the plurality of metadata values corresponds to a respective metadata identifier of a plurality of unique metadata identifiers;
an assignment circuit configured to assign a first metadata identifier to the first packet, wherein the lookup circuit is configured to selectively retrieve a first metadata value of the plurality of metadata values that corresponds to the first metadata identifier;
a rule matching circuit configured to select a first rule from among a predetermined set of rules based on (i) the first set of values and (ii) the first metadata value of the plurality of metadata values; and
an action circuit configured to (i) identify a first action specified by the first rule of the predetermined set of rules and (ii) perform the first action, wherein the first action includes modifying the first metadata value of the plurality of metadata values.
2. The packet processor of claim 1, wherein the first action includes modifying the first set of values.
3. The packet processor of claim 1, wherein the first action includes modifying the first packet.
4. The packet processor of claim 1, wherein each metadata value of the plurality of metadata values comprises a bit field.
5. The packet processor of claim 4, wherein, for each metadata value of the plurality of metadata values, a first bit of the bit field specifies whether information from the bit field is to be used only once.
6. The packet processor of claim 4, wherein, for each metadata value of the plurality of metadata values, a first plurality of bits of the bit field indicates an age of information in the bit field.
7. The packet processor of claim 1, further comprising a second lookup circuit configured to store a second plurality of metadata values, wherein:
each metadata value of the second plurality of metadata values corresponds to a respective metadata identifier of a second plurality of unique metadata identifiers,
the rule matching circuit is configured to use information from the lookup circuit to evaluate the first rule of the predetermined set of rules, and
the rule matching circuit is configured to use information from the second lookup circuit to evaluate a second rule of the predetermined set of rules.
8. The packet processor of claim 1, wherein:
the rule matching circuit is configured to select the first rule from among the predetermined set of rules based on (i) the first set of values and (ii) a value of a first counter, and
the first metadata value of the plurality of metadata values stores the value of the first counter.
9. The packet processor of claim 8, further comprising a second lookup circuit configured to store a second plurality of metadata values, wherein each metadata value of the second plurality of metadata values corresponds to a respective metadata identifier of a second plurality of unique metadata identifiers, and wherein one of the second plurality of metadata values stores a value of a second counter.
10. The packet processor of claim 1, further comprising:
a second lookup circuit configured to store a second plurality of metadata values, wherein each metadata value of the second plurality of metadata values corresponds to a respective metadata identifier of a second plurality of unique metadata identifiers, wherein the second lookup circuit is configured to selectively retrieve a second metadata value of the second plurality of metadata values that corresponds to the first metadata identifier;
a second rule matching circuit configured to select a second rule from among a second predetermined set of rules based on (i) the first set of values and (ii) the second metadata value of the second plurality of metadata values; and
a second action circuit configured to (i) select a second action specified by the second rule of the second predetermined set of rules, and (ii) perform the second action, wherein the second action includes modifying the selected one of the plurality of metadata values.
11. The packet processor of claim 10, wherein the second predetermined set of rules is a duplicate of the predetermined set of rules.
12. A networking device comprising:
the packet processor of claim 1; and
a plurality of network ports.
13. The networking device of claim 12, wherein the plurality of network ports each have a respective line speed, and wherein the packet processor is configured to process packets from the plurality of network ports at the respective line speeds of the plurality of network ports.
14. The networking device of claim 12, wherein the networking device comprises a firewall.
15. The networking device of claim 12, wherein the networking device comprises at least one of an intrusion prevention system or an intrusion detection system.
16. A method of operating a network device, the method comprising:
generating a first set of values based on a first packet;
storing a plurality of metadata values, wherein each metadata value of the plurality of metadata values corresponds to a respective metadata identifier of a plurality of unique metadata identifiers;
assigning a first metadata identifier to the first packet;
selectively retrieving a first metadata value of the plurality of metadata values that corresponds to the first metadata identifier;
selecting a first rule from among a predetermined set of rules based on (i) the first set of values and (ii) the first metadata value of the plurality of metadata values;
identifying a first action specified by the first rule of the predetermined set of rules; and
performing the first action, wherein the first action includes modifying the first metadata value of the plurality of metadata values.
17. The method of claim 16, wherein the first action includes modifying the first set of values.
18. The method of claim 16, wherein the first action includes modifying the first packet.
19. The method of claim 16, wherein each metadata value of the plurality of metadata values comprises a bit field.
20. The method of claim 19, wherein, for each metadata value of the plurality of metadata values, a first bit of the bit field specifies whether information from the bit field is to be used only once.
21. The method of claim 19, wherein, for each metadata value of the plurality of metadata values, a first plurality of bits of the bit field indicates an age of information in the bit field.
22. The method of claim 16, further comprising:
storing a second plurality of metadata values, wherein each metadata value of the second plurality of metadata values corresponds to a respective metadata identifier of a second plurality of unique metadata identifiers;
using information from the plurality of metadata values to evaluate the first rule of the predetermined set of rules; and
using information from the second plurality of metadata values to evaluate a second rule of the predetermined set of rules.
23. The method of claim 16, wherein the selecting the first rule from among the predetermined set of rules is performed based on (i) the first set of values and (ii) a value of a first counter, wherein the first metadata value of the plurality of metadata values stores the value of the first counter.
24. The method of claim 23, further comprising storing a second plurality of metadata values, wherein each metadata value of the second plurality of metadata values corresponds to a respective metadata identifier of a second plurality of unique metadata identifiers, and wherein one of the second plurality of metadata values stores a value of a second counter.
25. The method of claim 16, further comprising:
storing a second plurality of metadata values, wherein each metadata value of the second plurality of metadata values corresponds to a respective metadata identifier of a second plurality of unique metadata identifiers;
selectively retrieving a second metadata value of the second plurality of metadata values that corresponds to the first metadata identifier;
selecting a second rule from among a second predetermined set of rules based on (i) the first set of values and (ii) the second metadata value of the second plurality of metadata values;
selecting a second action specified by the second rule of the second predetermined set of rules; and
performing the second action, wherein the second action includes modifying the selected one of the plurality of metadata values.
26. The method of claim 25, wherein the second predetermined set of rules is a duplicate of the predetermined set of rules.
27. The method of claim 16, wherein the networking device includes a plurality of network ports, wherein the plurality of network ports each have a respective line speed, and wherein the method includes processing packets from the plurality of network ports at the respective line speeds of the plurality of network ports.
US14/090,368 2012-11-26 2013-11-26 Mechanism for wire-speed stateful packet inspection in packet processors Active 2034-10-18 US9319351B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/090,368 US9319351B1 (en) 2012-11-26 2013-11-26 Mechanism for wire-speed stateful packet inspection in packet processors

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201261729829P 2012-11-26 2012-11-26
US14/090,368 US9319351B1 (en) 2012-11-26 2013-11-26 Mechanism for wire-speed stateful packet inspection in packet processors

Publications (1)

Publication Number Publication Date
US9319351B1 true US9319351B1 (en) 2016-04-19

Family

ID=55700146

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/090,368 Active 2034-10-18 US9319351B1 (en) 2012-11-26 2013-11-26 Mechanism for wire-speed stateful packet inspection in packet processors

Country Status (1)

Country Link
US (1) US9319351B1 (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020065938A1 (en) * 2000-06-23 2002-05-30 Jungck Peder J. Edge adapter architecture apparatus and method
US6496935B1 (en) * 2000-03-02 2002-12-17 Check Point Software Technologies Ltd System, device and method for rapid packet filtering and processing
US20030041172A1 (en) 2001-08-22 2003-02-27 International Business Machines Corporation Stateless message processing scheme for network processors interactions
US20080201772A1 (en) 2007-02-15 2008-08-21 Maxim Mondaeev Method and Apparatus for Deep Packet Inspection for Network Intrusion Detection
US7424019B1 (en) 2001-11-27 2008-09-09 Marvell Israel (M.I.S.L) Ltd. Packet header altering device
US7626938B1 (en) 2005-03-31 2009-12-01 Marvell Israel (M.I.S.L) Ltd. Local area network switch using control plane packet mirroring to support multiple network traffic analysis devices
US20100138543A1 (en) * 2008-12-03 2010-06-03 At&T Intellectual Property I,L.P Real-time content detection in ISP transmissions
US20110116507A1 (en) 2009-11-16 2011-05-19 Alon Pais Iterative parsing and classification
US8065721B1 (en) * 2007-08-10 2011-11-22 Juniper Networks, Inc. Merging filter rules to reduce forwarding path lookup cycles
US20120110656A1 (en) * 2010-11-02 2012-05-03 Jose Renato Santos Selective invalidation of packet filtering results
US20120177047A1 (en) 2011-01-06 2012-07-12 Amir Roitshtein Network device with a programmable core
US8255515B1 (en) 2006-01-17 2012-08-28 Marvell Israel (M.I.S.L.) Ltd. Rate limiting per-flow of traffic to CPU on network switching and routing devices
US8339959B1 (en) * 2008-05-20 2012-12-25 Juniper Networks, Inc. Streamlined packet forwarding using dynamic filters for routing and security in a shared forwarding plane

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6496935B1 (en) * 2000-03-02 2002-12-17 Check Point Software Technologies Ltd System, device and method for rapid packet filtering and processing
US20020065938A1 (en) * 2000-06-23 2002-05-30 Jungck Peder J. Edge adapter architecture apparatus and method
US20030041172A1 (en) 2001-08-22 2003-02-27 International Business Machines Corporation Stateless message processing scheme for network processors interactions
US7424019B1 (en) 2001-11-27 2008-09-09 Marvell Israel (M.I.S.L) Ltd. Packet header altering device
US7626938B1 (en) 2005-03-31 2009-12-01 Marvell Israel (M.I.S.L) Ltd. Local area network switch using control plane packet mirroring to support multiple network traffic analysis devices
US8255515B1 (en) 2006-01-17 2012-08-28 Marvell Israel (M.I.S.L.) Ltd. Rate limiting per-flow of traffic to CPU on network switching and routing devices
US20080201772A1 (en) 2007-02-15 2008-08-21 Maxim Mondaeev Method and Apparatus for Deep Packet Inspection for Network Intrusion Detection
US8065721B1 (en) * 2007-08-10 2011-11-22 Juniper Networks, Inc. Merging filter rules to reduce forwarding path lookup cycles
US8339959B1 (en) * 2008-05-20 2012-12-25 Juniper Networks, Inc. Streamlined packet forwarding using dynamic filters for routing and security in a shared forwarding plane
US20100138543A1 (en) * 2008-12-03 2010-06-03 At&T Intellectual Property I,L.P Real-time content detection in ISP transmissions
US20110116507A1 (en) 2009-11-16 2011-05-19 Alon Pais Iterative parsing and classification
US20120110656A1 (en) * 2010-11-02 2012-05-03 Jose Renato Santos Selective invalidation of packet filtering results
US20120177047A1 (en) 2011-01-06 2012-07-12 Amir Roitshtein Network device with a programmable core

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Corner, Douglas; Network Processors: Programmable Technology for Building Network Systems; Dec. 2004; 8 pages.
Dobrescu, Mihai et al; Toward Predictable Performance in Software Packet-Processing Platforms; 2012; 14 pages.
Trabelsi, Zouheir; Teaching Stateless and Stateful Firewall Packet Filtering: A Hands-on Approach; Jun. 11, 2012; 8 pages.

Similar Documents

Publication Publication Date Title
EP3035613B1 (en) Ccn routing using hardware-assisted hash tables
US9973599B2 (en) Parser for parsing header in packet and related packet processing apparatus
US8638793B1 (en) Enhanced parsing and classification in a packet processor
US9569561B2 (en) Label masked addressable memory
US10938966B2 (en) Efficient packet classification for dynamic containers
US20160105397A1 (en) Firewall Packet Filtering
US10855480B2 (en) Systems and methods for processing packets in a computer network
WO2019173410A1 (en) Chained longest prefix matching in programmable switch
US8024787B2 (en) Packet firewalls of particular use in packet switching devices
US10348603B1 (en) Adaptive forwarding tables
US10057193B2 (en) Cardinality based packet processing in software-defined networking (SDN) switches
US10459729B2 (en) Map tables for hardware tables
US20180107759A1 (en) Flow classification method and device and storage medium
US20160352620A1 (en) Adjusting Control-Plane Allocation of Packet Processing Resources
US9819587B1 (en) Indirect destination determinations to forward tunneled network packets
US11700202B2 (en) Port extender with local switching
US10554547B2 (en) Scalable network address translation at high speed in a network environment
US20150172177A1 (en) Ultra Low Latency Multi-Protocol Network Device
US10887234B1 (en) Programmatic selection of load balancing output amongst forwarding paths
US20210266264A1 (en) Systems and methods for stateful packet processing
US10003676B2 (en) Method and apparatus for generating parallel lookup requests utilizing a super key
US8605732B2 (en) Method of providing virtual router functionality
JP5760012B2 (en) Method and system for common group behavior filtering in a communication network environment
US9210103B1 (en) Policy control list keys for network devices
US9319351B1 (en) Mechanism for wire-speed stateful packet inspection in packet processors

Legal Events

Date Code Title Description
AS Assignment

Owner name: MARVELL INTERNATIONAL LTD., BERMUDA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MARVELL SEMICONDUCTOR, INC.;REEL/FRAME:033478/0044

Effective date: 20140403

Owner name: MARVELL ISRAEL (M.I.S.L) LTD, ISRAEL

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MELMAN, DAVID;REEL/FRAME:033482/0496

Effective date: 20131120

Owner name: MARVELL SEMICONDUCTOR, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ORR, MICHAEL;HUTT, GAD;SAFRAI, URI;SIGNING DATES FROM 20140213 TO 20140331;REEL/FRAME:033477/0922

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

AS Assignment

Owner name: CAVIUM INTERNATIONAL, CAYMAN ISLANDS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MARVELL INTERNATIONAL LTD.;REEL/FRAME:052918/0001

Effective date: 20191231

AS Assignment

Owner name: MARVELL ASIA PTE, LTD., SINGAPORE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CAVIUM INTERNATIONAL;REEL/FRAME:053475/0001

Effective date: 20191231

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8